Ethical hacking: what is it and where is it used? Who are the white hackers?

[Father]

Table of contents

1. White hat hacker - a profession or a calling
2. How to Become an Ethical Hacker
3. And what about the money?
4. How is the ethics of a hacker measured?
5. Current situation with Bug Bounty in Russia
6. Conclusion

Hacking is a kind of flagship of information security media. Cult films are made about hackers. Many teenagers and aspiring IT specialists want to learn how to become a hacker.

Particular attention is paid to ethical hacking, since it is not only prestigious, but also legal. The concept of "ethical hacker" includes many specialists: pentesters, bug hunters, and others. However, their activities are highly dependent on the legislation of the country in whose jurisdiction they work.

White hat hacker - a profession or a calling​

A white hat hacker is a specialist who uses his or her skills and knowledge to protect computer systems, networks, and data from cyber attacks. The goal of such a specialist is to help improve security rather than to engage in malicious activities, which is why white hat hackers are often called ethical.

Many people want to become such a specialist. Breaking the protection of companies, websites and services legally - what could be more attractive! Formally, as soon as a specialist joins one of the open Bug Bounty programs and until his activities do not violate the rules and regulations, he is an ethical hacker.

But to get to the Bug Bounty platform, you need to at least get a knowledge base and try out your skills in practice. Fortunately, in Russia there are several ways to master the skills that will make a person a specialist in ethical hacking.

How to Become an Ethical Hacker​

If we talk about training programs for a hacker, there are three ways. The first and most difficult, but correct, is to get a specialized higher education in the field of information security. Academic education should not be underestimated - it serves as a foundation on which relevant work information is layered.

A more accessible and faster way is to take ethical hacking courses. Such courses are positioned as a way to learn from scratch, but are more relevant for related specialists who want to try themselves in bag hunting. For example, for system administrators and testers. Usually the courses are paid, but you can also find free options. For example, in 2023, the Ministry of Digital Development, together with CyberED, launched the course "Profession - White Hacker" lasting 48 academic hours and with a very interesting program.

The third option for acquiring skills is self-education. Those who do not want to pay for ethical hacker courses and are ready to learn on their own can use training platforms like HackTheBox. The success of this approach largely depends on the starting position and persistence. A number of such platforms also offer free courses on ethical hacking.

The issue of ethics and legality plays a big role in training a white hat hacker. Understanding the boundaries and limits is a basic skill for any bug hunter. After all, if you cross them, there is a high risk of facing a lot of unpleasant consequences.

And what about the money?​

It is logical that by investing in training, a white hacker wants to understand what he will get in the end. After all, a profession is not only moral satisfaction, but also a material base. To understand how much an ethical hacker earns in Russia, we studied vacancies on well-known job sites for the query "Pentester" and "Penetration tester", as well as:

• The average salary offered to a pentester is $1400-2500;
• Career in vacancies of ethical hackers salaries are much higher - $2000-5000.

But all these are vacancies for the staff of large companies. There is another option for earning money - freelancing on bug bounty platforms, as well as completing one-time orders for a fee.

How is the ethics of a hacker measured?​

The prefix "ethical" is a well-established phrase. The measure of a hacker's ethics is his personal moral guidelines or public opinion. In the context of professional activity, it would be more correct to talk about the legality or illegality of hacking.

Kirill Romanov.
Business Development Manager, Information Security Department, Syssoft.

In world practice, specialists who hack a website, business applications, and other online services of a company to detect vulnerabilities to improve the security system are usually called ethical or white hat hackers. The phrase "legal hacking" has not received widespread use. Such "hackers" do not cause damage to the business and do not use data for their own purposes.

Their task is to identify a vulnerability or error, report the problem to the pentest customer so that he can fix it and prevent information leakage during an attack by intruders.

Legal hacking is the one that complies with all legal norms of the country in whose jurisdiction the hacker operates. Therefore, the first thing a white hacker should know is the specialized laws that regulate his activities.

But even knowing and following all the laws does not guarantee that the actions of an ethical hacker will be misinterpreted. Much depends on how the company in whose infrastructure the vulnerability was found will treat this information.

Victor Chashin.
Chief Operating Officer of MULTIFACTOR, Certified White Hat Hacker.

If we talk about Russia, a hacker basically cannot protect his activities from any subsequent claims of the employer. The most typical story: in the process of security research, a hacker stumbled upon a vulnerability that could lead to a leak of confidential information. And the employer can contact the police with a statement that, in fact, the hacker got access to it. Therefore, all such works and contracts are primarily built on trust in each other.

In the conditions of a priori imperfection of any legislative system, especially in such dynamically developing areas as IT and information security, the only reliable instrument of protection is a bilateral agreement between the company and the ethical hacker.

This model is used by pentest specialists. The contract clearly specifies the testing methods, its scope and other parameters. This approach allows to mitigate possible risks during penetration testing.

Evgeniy Tsarev.
Managing Director of RTM Group, expert in cybersecurity and law.

Hacking also implies security analysis - this is a licensed activity. Thus, anyone cannot be a hacker outside special laboratories. For any use of an exploit used by pentesters, an ordinary citizen can be charged with Article 273 of the Criminal Code of the Russian Federation with all the consequences.

And when it comes to providing a security analysis service, for example, all basic restrictions, powers, etc. are described in the contract. Also, based on the results of the work, the same pentester makes a detailed report. And if the client later claims that the services provided caused harm to his organization, this still needs to be proven. For this, among other things, technical examinations are used.

The first thing a white hacker should be able to do is calculate risks. Even conditionally legal activity, not supported by a contract, can result in multiple consequences. The process of litigation is lengthy and resource-intensive.

In the case of bug hunting, the wholesale conclusion of contracts is impossible for a number of reasons. In such cases, special programs are used - Bug Bounty. Its meaning is that the company itself agrees to study its system by volunteer specialists and guarantees a reward for the vulnerabilities found.

Current situation with Bug Bounty in Russia​

Some large IT-oriented companies independently conduct such programs. For example, Microsoft or Facebook. But these are rather individual examples, and the global practice is the use of Bug Bounty platforms.

There are two high-profile examples of such platforms: HackerOne and Bugcrowd. According to the interaction model, this is a classic work through an intermediary or guarantor. The platform defines the rules of interaction, attracts companies and bug hunters, and provides the opportunity to safely search for vulnerabilities.

In the current conditions, working with foreign platforms of this type is very difficult, and for some companies it is completely impossible.

The difficulty of working with international platforms has drawn the attention of relevant authorities to the problem of regulating Bug Bounty in Russia. According to Vedomosti, the Ministry of Digital Development is discussing the possibility of introducing the concept of Bug Bounty into the legal field.

Alexander Borisov.
Head of Security Analysis, Innostage Group.

Certainly, the emergence of bug bounty will have a positive impact on the formation of the legal field for information security researchers. In addition, this initiative can bring new specialists to the industry, which is currently in short supply, since the very concept of bug bounty implies compensation for identifying significant vulnerabilities.

So far, the agency has not made any big statements, so it is difficult to judge the level of changes. Perhaps this will be the resolution of minor formalities, which will simplify the interaction between bug hunters and companies. For example, the creation of a legal basis for paying rewards for vulnerabilities found. More significant changes cannot be ruled out.

Alexey Antonov.
Managing Partner Swordfish Security.

It is not entirely clear how they plan to “legalize” and what this means at the legislative level. Within the framework of the BugBounty programs of the same VK and Yandex, it is legal to carry out such activities, for example. If someone undertakes to test the company's infrastructure independently without a contract, then this is already illegal.

In 2023, the Ministry of Digital Development took the first steps towards changing the status and, most importantly, the attitude towards bug bounty in Russia. A project was launched to search for vulnerabilities on State Services and the Unified Identification and Authentication System. Over the course of three months, more than 8.4 thousand bug bounty participants tested the portal's security and competed for a reward. During this time, researchers found more than 30 vulnerabilities, most of which were of medium and low criticality. The minimum payout was 10 thousand rubles, the maximum was 350 thousand.

Then the second program from the Ministry of Digital Development was launched. This time the project duration is 1 year, and there are many more objects of research:

• Government services;
• Unified identification and authentication system;
• Unified biometric system;
• Feedback platform;
• System of interdepartmental electronic interaction;
• National Data Management System;
• Unified information system for managing the personnel of the state civil service;
• Main Certification Authority;
• Unified system of normative reference information.

Despite all this, white hackers have not yet acquired legal status. The Ministry of Internal Affairs and the Prosecutor General's Office of Russia, as well as the Investigative Committee, are against it. They all claim that no amendments to the Criminal Code of the Russian Federation that could legalize ethical hackers should be introduced.

Therefore, the best option for cooperation today is a contract. By the way, thousands of companies use such services, working with security specialists under contracts.

At the moment, the safest and most convenient option for interaction between ethical hackers and companies is the Russian Bug Bounty platforms. For example, The Standoff 365 Bug Bounty from Positive Technologies.

Conclusion​

The current political situation has had an important effect on the attitude of the authorities and society towards information security. In particular, awareness has grown in terms of the attitude towards ethical hacking as a tool for finding vulnerabilities.

At the same time, from the legislative standpoint, the situation is far from ideal. Forming an adequate legal framework may take time. And even after the legislative foundation is created, there will certainly be weak points that may not be interpreted in favor of an ethical hacker.

Those specialists who are thinking about how to become a hacker and start earning big fees by receiving money for the vulnerabilities they find, it is important to remember the risks. Because the pursuit of success and reckless actions can lead to expenses on protecting your own name and long legal proceedings.

Source